WordPress
Monthly
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. [CVSS 6.4 MEDIUM]
Privilege escalation in Listee WordPress theme allows unauthenticated attackers to gain administrator access. All versions up to 1.1.6 affected.
Unauthenticated attackers can modify arbitrary post metadata in WordPress sites running WP Recipe Maker plugin versions up to 10.3.2 due to an insecure direct object reference in the Instacart integration REST API endpoint. The vulnerability stems from improper authorization checks on the recipeId parameter, allowing attackers to overwrite recipe configuration data without authentication. No patch is currently available for this issue.
Fluent Forms Pro Add On Pack for WordPress versions up to 6.1.17 fail to verify PayPal Instant Payment Notifications by default, allowing unauthenticated attackers to forge payment confirmations and mark unpaid submissions as paid. An attacker can exploit this to trigger post-payment automation including email delivery, access grants, and digital product distribution without actual payment. The vulnerability affects all installations that have not manually enabled IPN verification and currently lacks a patch.
Arbitrary file upload in User Frontend plugin for WordPress (versions up to 4.2.8) allows authenticated users with Author-level privileges to bypass file type validation and upload malicious files to the server. This can lead to remote code execution if an attacker uploads executable files to web-accessible directories. The vulnerability remains unpatched and affects all versions through 4.2.8.
The WP SMS plugin for WordPress through version 6.9.12 contains an SQL injection vulnerability that allows high-privileged authenticated users to manipulate database queries and extract sensitive information. An attacker with administrative credentials could exploit this to read arbitrary data from the WordPress database, potentially compromising user information and site configuration. No patch is currently available for this vulnerability.
The WooCommerce Photo Reviews plugin for WordPress versions up to 1.4.4 fails to properly sanitize user input in HTML contexts, enabling attackers to inject malicious scripts that execute in victims' browsers. This stored cross-site scripting vulnerability allows unauthenticated attackers to deface content or steal sensitive information from site visitors. No patch is currently available for this vulnerability.
Remote code execution in WordPress Worry Proof Backup plugin through path traversal in the backup upload feature allows authenticated users with Subscriber privileges or higher to write arbitrary files, including PHP executables, to the server by uploading specially crafted ZIP archives. The vulnerability affects all versions up to 0.2.4 and currently has no available patch, enabling attackers to achieve full server compromise.
Unauthenticated attackers can delete arbitrary user accounts on WordPress sites running the User Registration & Membership plugin through version 5.1.2 due to insufficient validation of the member_id parameter in the register_member function. This IDOR vulnerability specifically targets newly registered accounts marked with the urm_user_just_created meta flag. No patch is currently available.
Unauthenticated attackers can bypass authentication in the WordPress User Registration & Membership plugin (versions up to 5.1.2) due to flawed logic in the user registration function, allowing them to gain unauthorized access to newly created accounts. The vulnerability requires specific conditions but poses a high risk due to the network-accessible nature of the attack and the lack of authentication requirements. No patch is currently available for affected installations.
Stored cross-site scripting in the EM Cost Calculator WordPress plugin up to version 2.3.1 allows unauthenticated attackers to inject malicious scripts through the customer name field, which execute when administrators access the customer list. An attacker can exploit this to steal admin credentials or perform unauthorized actions within the WordPress environment. No patch is currently available for this vulnerability.
Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.
Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.
The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.
Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Arbitrary command execution in WPGraphQL's GitHub Actions workflow allows attackers with pull request creation privileges to inject shell commands through unvalidated pull request body content, potentially compromising the build environment and repository integrity. The vulnerability affects WPGraphQL versions prior to 2.9.1 and requires low privileges and user interaction to exploit. No patch is currently available for affected deployments.
Unauthenticated attackers can exploit a path traversal vulnerability in WP Responsive Images plugin for WordPress (all versions up to 1.0) through the 'src' parameter to read arbitrary files from the server. This allows unauthorized access to sensitive information stored on affected WordPress installations. No patch is currently available.
The Events Calendar plugin for WordPress through version 6.15.16 fails to properly validate user capabilities in REST API endpoints, allowing authenticated contributors and higher-privileged users to modify or delete events, organizers, and venues without proper authorization. This capability check bypass affects all installations with the vulnerable plugin version and enables authenticated attackers with lower-level access to cause data integrity issues and service disruption. No patch is currently available for this medium-severity vulnerability.
The Disable Admin Notices - Hide Dashboard Notifications WordPress plugin up to version 1.4.2 lacks proper CSRF protection in its `showPageContent()` function, allowing unauthenticated attackers to inject arbitrary URLs into the blocked redirects list by tricking site administrators into clicking a malicious link. This could enable an attacker to redirect site traffic or manipulate administrator settings without explicit authorization. No patch is currently available for this medium-severity vulnerability.
Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Protected post metadata injection in Post Duplicator plugin for WordPress allows authenticated contributors and higher-privileged users to arbitrarily set sensitive meta keys like _wp_page_template on duplicated posts by bypassing WordPress's standard metadata protection mechanisms. The vulnerability exists in versions up to 3.0.8 due to direct database insertion instead of using WordPress's protected metadata validation function. Attackers can exploit this through the customMetaData parameter in the REST API endpoint to manipulate post properties and potentially compromise site functionality.
WP Recipe Maker (WordPress plugin) is affected by authorization bypass through user-controlled key (CVSS 4.3).
Authenticated WordPress users with Author-level or higher privileges can exploit a Server-Side Request Forgery vulnerability in the Responsive Lightbox & Gallery plugin (versions up to 2.7.1) due to improper hostname validation in the image upload function. This allows attackers to send arbitrary web requests from the vulnerable server to internal services, potentially exposing or modifying sensitive information within the network. The vulnerability affects all versions up to 2.7.1 with no patch currently available.
Unauthenticated attackers can execute SQL injection attacks against WordPress sites running Geo Mashup plugin versions up to 1.13.17 by manipulating the 'sort' parameter, allowing unauthorized database access and extraction of sensitive information. The vulnerability stems from inadequate input validation and query preparation in the plugin code. No patch is currently available, leaving affected installations at risk until an update is released.
Remote code execution in Advanced Woo Labels plugin for WordPress through version 2.37 allows authenticated users with Contributor access or higher to execute arbitrary PHP functions and system commands via an unsanitized callback parameter in an AJAX handler. The vulnerability stems from improper use of call_user_func_array() without adequate input validation or capability restrictions. No patch is currently available for this high-severity flaw affecting WordPress environments.
Unauthenticated attackers can forge authentication tokens in the WPGSI: Spreadsheet Integration plugin for WordPress (versions up to 3.8.3) due to missing capability checks and weak token validation that relies only on Base64-encoded, unsigned user data. This allows remote attackers to create, modify, and delete arbitrary WordPress posts and pages without authentication. No patch is currently available.
Stored XSS in Rise Blocks WordPress plugin versions up to 3.7 allows authenticated contributors and above to inject malicious scripts into pages through the logoTag Site Identity block attribute due to inadequate input sanitization. The injected scripts execute in the browsers of all users who access the compromised pages, potentially leading to credential theft, session hijacking, or malware distribution. No patch is currently available.
The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved. [CVSS 8.8 HIGH]
Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions.
Critical vulnerability in ElementsKit Elementor Addons WordPress plugin allows unauthenticated access to critical functions. CVSS 10.0 affecting a widely-used WordPress plugin with 1M+ installations.
Unauthenticated attackers can manipulate email routing and redirection in The Plus Addons for Elementor plugin for WordPress versions up to 6.4.7 by tampering with the 'email_data' parameter in an AJAX handler that lacks proper cryptographic verification. This allows attackers to trigger unauthorized email relay and redirect users to attacker-controlled sites without authentication. No patch is currently available for this medium-severity vulnerability.
Conditional CAPTCHA WordPre versions up to 4.0.0 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
Unauthenticated attackers can delete migrated courses in WordPress sites running LearnPress Export Import versions up to 4.1.0 due to missing capability checks in the data deletion function, provided Tutor LMS is also installed. This allows unauthorized data loss with low complexity exploitation requiring network access. No patch is currently available for this medium-severity vulnerability.
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. [CVSS 6.5 MEDIUM]
Missing authorization controls in the tychesoftwares Print Invoice & Delivery Notes plugin for WooCommerce (versions up to 5.8.0) allow unauthenticated attackers to manipulate access control settings and modify invoice or delivery note data. The vulnerability affects WordPress sites running this plugin and could result in unauthorized data modification. A patch is not currently available.
WP Job Portal versions 2.4.4 and earlier contain an authorization bypass flaw that allows unauthenticated attackers to access sensitive information by exploiting improperly configured access controls. An attacker can remotely exploit this vulnerability without user interaction to gain unauthorized visibility into restricted data. No patch is currently available for this vulnerability.
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by php remote file inclusion (CVSS 8.1).
Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).
PersianScript Persian Woocommerce SMS persian-woocommerce-sms is affected by cross-site scripting (xss) (CVSS 7.1).
WP FullCalendar plugin version 1.6 and earlier for WordPress contains an authorization bypass vulnerability that allows unauthenticated attackers to modify calendar data and disrupt service availability. The weak access control implementation enables remote exploitation without requiring user interaction or special network conditions. Organizations running affected versions should upgrade immediately as no patch is currently available.
realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).
AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify is affected by missing authorization (CVSS 6.5).
vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor is affected by missing authorization (CVSS 7.1).
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 7.5 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 8.6 HIGH]
XforWooCommerce Product Filter for WooCommerce prdctfltr contains a security vulnerability (CVSS 7.3).
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 7.7 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 8.6 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5. [CVSS 8.1 HIGH]
GT3themes SOHO - Photography WordPress Theme soho is affected by cross-site scripting (xss) (CVSS 7.1).
GT3themes Oyster - Photography WordPress Theme oyster is affected by cross-site scripting (xss) (CVSS 7.1).
magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).
Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).
primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).
Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2. [CVSS 7.1 HIGH]
Bas Schuiling FeedWordPress Advanced Filters faf is affected by cross-site scripting (xss) (CVSS 7.1).
Missing Authorization vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through <= 3.3.5. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Saiful Islam Sync Master Sheet – Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet – Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3.
WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by php remote file inclusion (CVSS 6.3).
Unrestricted file upload in Wiguard (wiguard) WordPress theme allows uploading web shells for remote code execution.
Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).
Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0. [CVSS 6.5 MEDIUM]
Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in Addonify Addonify - WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify - WooCommerce Wishlist: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Addonify Addonify – Compare Products For WooCommerce addonify-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify – Compare Products For WooCommerce: from n/a through <= 1.1.17. [CVSS 6.5 MEDIUM]
soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce is affected by missing authorization (CVSS 6.3).
vanquish User Extra Fields wp-user-extra-fields is affected by cross-site scripting (xss) (CVSS 7.1).
Missing Authorization vulnerability in WP Legal Pages WPLegalPages wplegalpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLegalPages: from n/a through <= 3.5.4. [CVSS 7.5 HIGH]
knitpay UPI QR Code Payment Gateway for WooCommerce upi-qr-code-payment-for-woocommerce is affected by missing authorization (CVSS 6.5).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1. [CVSS 7.1 HIGH]
Missing Authorization vulnerability in staviravn AIO WP Builder all-in-one-wp-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO WP Builder: from n/a through <= 2.0.2. [CVSS 7.6 HIGH]
Stored XSS in Master Addons For Elementor plugin (WordPress versions up to 2.1.1) allows authenticated contributors and above to inject malicious scripts into pages through the 'ma_el_bh_table_btn_text' parameter due to insufficient input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
The Survey Maker WordPress plugin through version 5.1.7.7 is vulnerable to reflected cross-site scripting (XSS) that requires user interaction to exploit. An attacker can craft a malicious link to inject arbitrary JavaScript into a victim's browser session, potentially allowing credential theft or malicious actions within WordPress. No patch is currently available, leaving affected installations at risk.
The Quiz Maker plugin for WordPress versions up to 6.7.1.7 allows authenticated contributors and higher-privileged users to inject persistent JavaScript through the `vc_quizmaker` shortcode due to inadequate input validation, enabling malicious script execution in pages viewed by other users. The vulnerability requires WPBakery Page Builder to be active and has no available patch. An attacker with contributor access can deface content or steal sensitive information from site visitors.
Authenticated users can modify email configurations in YayMail for WooCommerce through version 4.3.2 due to missing authorization checks on access control settings. An attacker with low-level WordPress user privileges could alter email templates or settings without proper permissions. No patch is currently available for this vulnerability.
Product Table and List Builder for WooCommerce Lite (WordPress plugin) is affected by sql injection (CVSS 7.5).
Unauthenticated attackers can exploit time-based SQL injection in wpForo Forum plugin for WordPress versions up to 2.4.14 through the 'wpfob' parameter to extract sensitive database information. The vulnerability stems from insufficient input sanitization and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.
The Dealia - Request a Quote WordPress plugin through version 1.0.6 allows authenticated contributors and above to inject malicious scripts into pages via improperly escaped Gutenberg block attributes. An attacker with contributor-level access can embed arbitrary JavaScript that executes when users view the affected pages, potentially compromising user sessions and data. No patch is currently available.
Stored XSS in the Client Testimonial Slider WordPress plugin through version 2.0 allows administrators to inject malicious scripts into the 'Testimonial Heading' setting due to inadequate input sanitization. The injected scripts execute when users view affected pages, impacting multi-site WordPress installations or sites with unfiltered_html disabled. Currently no patch is available.
Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).
Radio by Sonaar versions up to 4.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).
PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce is affected by missing authorization (CVSS 5.3).
villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer is affected by php remote file inclusion (CVSS 7.5).
The WP-CORS WordPress plugin through version 0.2.2 contains an authorization bypass that allows authenticated users to modify content due to improperly configured access controls. An attacker with valid WordPress credentials could exploit this to make unauthorized changes to website data. No patch is currently available for this vulnerability.
crgeary JAMstack Deployments wp-jamstack-deployments is affected by missing authorization (CVSS 4.3).
Improper access control in WP Job Manager through version 2.4.0 permits unauthenticated attackers to access sensitive information by bypassing authorization checks. The vulnerability affects WordPress sites running the vulnerable plugin and could allow unauthorized disclosure of job-related data. No patch is currently available.
The Update URLs WordPress plugin through version 1.4.0 contains an open redirect vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to arbitrary external sites, enabling phishing attacks. The vulnerability requires user interaction to click a crafted link but has no patch currently available. Affected WordPress sites using this plugin should upgrade or disable it immediately.
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. [CVSS 6.4 MEDIUM]
Privilege escalation in Listee WordPress theme allows unauthenticated attackers to gain administrator access. All versions up to 1.1.6 affected.
Unauthenticated attackers can modify arbitrary post metadata in WordPress sites running WP Recipe Maker plugin versions up to 10.3.2 due to an insecure direct object reference in the Instacart integration REST API endpoint. The vulnerability stems from improper authorization checks on the recipeId parameter, allowing attackers to overwrite recipe configuration data without authentication. No patch is currently available for this issue.
Fluent Forms Pro Add On Pack for WordPress versions up to 6.1.17 fail to verify PayPal Instant Payment Notifications by default, allowing unauthenticated attackers to forge payment confirmations and mark unpaid submissions as paid. An attacker can exploit this to trigger post-payment automation including email delivery, access grants, and digital product distribution without actual payment. The vulnerability affects all installations that have not manually enabled IPN verification and currently lacks a patch.
Arbitrary file upload in User Frontend plugin for WordPress (versions up to 4.2.8) allows authenticated users with Author-level privileges to bypass file type validation and upload malicious files to the server. This can lead to remote code execution if an attacker uploads executable files to web-accessible directories. The vulnerability remains unpatched and affects all versions through 4.2.8.
The WP SMS plugin for WordPress through version 6.9.12 contains an SQL injection vulnerability that allows high-privileged authenticated users to manipulate database queries and extract sensitive information. An attacker with administrative credentials could exploit this to read arbitrary data from the WordPress database, potentially compromising user information and site configuration. No patch is currently available for this vulnerability.
The WooCommerce Photo Reviews plugin for WordPress versions up to 1.4.4 fails to properly sanitize user input in HTML contexts, enabling attackers to inject malicious scripts that execute in victims' browsers. This stored cross-site scripting vulnerability allows unauthenticated attackers to deface content or steal sensitive information from site visitors. No patch is currently available for this vulnerability.
Remote code execution in WordPress Worry Proof Backup plugin through path traversal in the backup upload feature allows authenticated users with Subscriber privileges or higher to write arbitrary files, including PHP executables, to the server by uploading specially crafted ZIP archives. The vulnerability affects all versions up to 0.2.4 and currently has no available patch, enabling attackers to achieve full server compromise.
Unauthenticated attackers can delete arbitrary user accounts on WordPress sites running the User Registration & Membership plugin through version 5.1.2 due to insufficient validation of the member_id parameter in the register_member function. This IDOR vulnerability specifically targets newly registered accounts marked with the urm_user_just_created meta flag. No patch is currently available.
Unauthenticated attackers can bypass authentication in the WordPress User Registration & Membership plugin (versions up to 5.1.2) due to flawed logic in the user registration function, allowing them to gain unauthorized access to newly created accounts. The vulnerability requires specific conditions but poses a high risk due to the network-accessible nature of the attack and the lack of authentication requirements. No patch is currently available for affected installations.
Stored cross-site scripting in the EM Cost Calculator WordPress plugin up to version 2.3.1 allows unauthenticated attackers to inject malicious scripts through the customer name field, which execute when administrators access the customer list. An attacker can exploit this to steal admin credentials or perform unauthorized actions within the WordPress environment. No patch is currently available for this vulnerability.
Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.
Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.
The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.
Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Arbitrary command execution in WPGraphQL's GitHub Actions workflow allows attackers with pull request creation privileges to inject shell commands through unvalidated pull request body content, potentially compromising the build environment and repository integrity. The vulnerability affects WPGraphQL versions prior to 2.9.1 and requires low privileges and user interaction to exploit. No patch is currently available for affected deployments.
Unauthenticated attackers can exploit a path traversal vulnerability in WP Responsive Images plugin for WordPress (all versions up to 1.0) through the 'src' parameter to read arbitrary files from the server. This allows unauthorized access to sensitive information stored on affected WordPress installations. No patch is currently available.
The Events Calendar plugin for WordPress through version 6.15.16 fails to properly validate user capabilities in REST API endpoints, allowing authenticated contributors and higher-privileged users to modify or delete events, organizers, and venues without proper authorization. This capability check bypass affects all installations with the vulnerable plugin version and enables authenticated attackers with lower-level access to cause data integrity issues and service disruption. No patch is currently available for this medium-severity vulnerability.
The Disable Admin Notices - Hide Dashboard Notifications WordPress plugin up to version 1.4.2 lacks proper CSRF protection in its `showPageContent()` function, allowing unauthenticated attackers to inject arbitrary URLs into the blocked redirects list by tricking site administrators into clicking a malicious link. This could enable an attacker to redirect site traffic or manipulate administrator settings without explicit authorization. No patch is currently available for this medium-severity vulnerability.
Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Protected post metadata injection in Post Duplicator plugin for WordPress allows authenticated contributors and higher-privileged users to arbitrarily set sensitive meta keys like _wp_page_template on duplicated posts by bypassing WordPress's standard metadata protection mechanisms. The vulnerability exists in versions up to 3.0.8 due to direct database insertion instead of using WordPress's protected metadata validation function. Attackers can exploit this through the customMetaData parameter in the REST API endpoint to manipulate post properties and potentially compromise site functionality.
WP Recipe Maker (WordPress plugin) is affected by authorization bypass through user-controlled key (CVSS 4.3).
Authenticated WordPress users with Author-level or higher privileges can exploit a Server-Side Request Forgery vulnerability in the Responsive Lightbox & Gallery plugin (versions up to 2.7.1) due to improper hostname validation in the image upload function. This allows attackers to send arbitrary web requests from the vulnerable server to internal services, potentially exposing or modifying sensitive information within the network. The vulnerability affects all versions up to 2.7.1 with no patch currently available.
Unauthenticated attackers can execute SQL injection attacks against WordPress sites running Geo Mashup plugin versions up to 1.13.17 by manipulating the 'sort' parameter, allowing unauthorized database access and extraction of sensitive information. The vulnerability stems from inadequate input validation and query preparation in the plugin code. No patch is currently available, leaving affected installations at risk until an update is released.
Remote code execution in Advanced Woo Labels plugin for WordPress through version 2.37 allows authenticated users with Contributor access or higher to execute arbitrary PHP functions and system commands via an unsanitized callback parameter in an AJAX handler. The vulnerability stems from improper use of call_user_func_array() without adequate input validation or capability restrictions. No patch is currently available for this high-severity flaw affecting WordPress environments.
Unauthenticated attackers can forge authentication tokens in the WPGSI: Spreadsheet Integration plugin for WordPress (versions up to 3.8.3) due to missing capability checks and weak token validation that relies only on Base64-encoded, unsigned user data. This allows remote attackers to create, modify, and delete arbitrary WordPress posts and pages without authentication. No patch is currently available.
Stored XSS in Rise Blocks WordPress plugin versions up to 3.7 allows authenticated contributors and above to inject malicious scripts into pages through the logoTag Site Identity block attribute due to inadequate input sanitization. The injected scripts execute in the browsers of all users who access the compromised pages, potentially leading to credential theft, session hijacking, or malware distribution. No patch is currently available.
The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved. [CVSS 8.8 HIGH]
Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions.
Critical vulnerability in ElementsKit Elementor Addons WordPress plugin allows unauthenticated access to critical functions. CVSS 10.0 affecting a widely-used WordPress plugin with 1M+ installations.
Unauthenticated attackers can manipulate email routing and redirection in The Plus Addons for Elementor plugin for WordPress versions up to 6.4.7 by tampering with the 'email_data' parameter in an AJAX handler that lacks proper cryptographic verification. This allows attackers to trigger unauthorized email relay and redirect users to attacker-controlled sites without authentication. No patch is currently available for this medium-severity vulnerability.
Conditional CAPTCHA WordPre versions up to 4.0.0 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
Unauthenticated attackers can delete migrated courses in WordPress sites running LearnPress Export Import versions up to 4.1.0 due to missing capability checks in the data deletion function, provided Tutor LMS is also installed. This allows unauthorized data loss with low complexity exploitation requiring network access. No patch is currently available for this medium-severity vulnerability.
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. [CVSS 6.5 MEDIUM]
Missing authorization controls in the tychesoftwares Print Invoice & Delivery Notes plugin for WooCommerce (versions up to 5.8.0) allow unauthenticated attackers to manipulate access control settings and modify invoice or delivery note data. The vulnerability affects WordPress sites running this plugin and could result in unauthorized data modification. A patch is not currently available.
WP Job Portal versions 2.4.4 and earlier contain an authorization bypass flaw that allows unauthenticated attackers to access sensitive information by exploiting improperly configured access controls. An attacker can remotely exploit this vulnerability without user interaction to gain unauthorized visibility into restricted data. No patch is currently available for this vulnerability.
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by php remote file inclusion (CVSS 8.1).
Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).
PersianScript Persian Woocommerce SMS persian-woocommerce-sms is affected by cross-site scripting (xss) (CVSS 7.1).
WP FullCalendar plugin version 1.6 and earlier for WordPress contains an authorization bypass vulnerability that allows unauthenticated attackers to modify calendar data and disrupt service availability. The weak access control implementation enables remote exploitation without requiring user interaction or special network conditions. Organizations running affected versions should upgrade immediately as no patch is currently available.
realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).
AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify is affected by missing authorization (CVSS 6.5).
vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor is affected by missing authorization (CVSS 7.1).
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 7.5 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 8.6 HIGH]
XforWooCommerce Product Filter for WooCommerce prdctfltr contains a security vulnerability (CVSS 7.3).
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 7.7 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 8.6 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5. [CVSS 8.1 HIGH]
GT3themes SOHO - Photography WordPress Theme soho is affected by cross-site scripting (xss) (CVSS 7.1).
GT3themes Oyster - Photography WordPress Theme oyster is affected by cross-site scripting (xss) (CVSS 7.1).
magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).
Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).
primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).
Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2. [CVSS 7.1 HIGH]
Bas Schuiling FeedWordPress Advanced Filters faf is affected by cross-site scripting (xss) (CVSS 7.1).
Missing Authorization vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through <= 3.3.5. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Saiful Islam Sync Master Sheet – Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet – Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3.
WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by php remote file inclusion (CVSS 6.3).
Unrestricted file upload in Wiguard (wiguard) WordPress theme allows uploading web shells for remote code execution.
Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).
Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0. [CVSS 6.5 MEDIUM]
Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in Addonify Addonify - WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify - WooCommerce Wishlist: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Addonify Addonify – Compare Products For WooCommerce addonify-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify – Compare Products For WooCommerce: from n/a through <= 1.1.17. [CVSS 6.5 MEDIUM]
soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce is affected by missing authorization (CVSS 6.3).
vanquish User Extra Fields wp-user-extra-fields is affected by cross-site scripting (xss) (CVSS 7.1).
Missing Authorization vulnerability in WP Legal Pages WPLegalPages wplegalpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLegalPages: from n/a through <= 3.5.4. [CVSS 7.5 HIGH]
knitpay UPI QR Code Payment Gateway for WooCommerce upi-qr-code-payment-for-woocommerce is affected by missing authorization (CVSS 6.5).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1. [CVSS 7.1 HIGH]
Missing Authorization vulnerability in staviravn AIO WP Builder all-in-one-wp-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO WP Builder: from n/a through <= 2.0.2. [CVSS 7.6 HIGH]
Stored XSS in Master Addons For Elementor plugin (WordPress versions up to 2.1.1) allows authenticated contributors and above to inject malicious scripts into pages through the 'ma_el_bh_table_btn_text' parameter due to insufficient input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
The Survey Maker WordPress plugin through version 5.1.7.7 is vulnerable to reflected cross-site scripting (XSS) that requires user interaction to exploit. An attacker can craft a malicious link to inject arbitrary JavaScript into a victim's browser session, potentially allowing credential theft or malicious actions within WordPress. No patch is currently available, leaving affected installations at risk.
The Quiz Maker plugin for WordPress versions up to 6.7.1.7 allows authenticated contributors and higher-privileged users to inject persistent JavaScript through the `vc_quizmaker` shortcode due to inadequate input validation, enabling malicious script execution in pages viewed by other users. The vulnerability requires WPBakery Page Builder to be active and has no available patch. An attacker with contributor access can deface content or steal sensitive information from site visitors.
Authenticated users can modify email configurations in YayMail for WooCommerce through version 4.3.2 due to missing authorization checks on access control settings. An attacker with low-level WordPress user privileges could alter email templates or settings without proper permissions. No patch is currently available for this vulnerability.
Product Table and List Builder for WooCommerce Lite (WordPress plugin) is affected by sql injection (CVSS 7.5).
Unauthenticated attackers can exploit time-based SQL injection in wpForo Forum plugin for WordPress versions up to 2.4.14 through the 'wpfob' parameter to extract sensitive database information. The vulnerability stems from insufficient input sanitization and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.
The Dealia - Request a Quote WordPress plugin through version 1.0.6 allows authenticated contributors and above to inject malicious scripts into pages via improperly escaped Gutenberg block attributes. An attacker with contributor-level access can embed arbitrary JavaScript that executes when users view the affected pages, potentially compromising user sessions and data. No patch is currently available.
Stored XSS in the Client Testimonial Slider WordPress plugin through version 2.0 allows administrators to inject malicious scripts into the 'Testimonial Heading' setting due to inadequate input sanitization. The injected scripts execute when users view affected pages, impacting multi-site WordPress installations or sites with unfiltered_html disabled. Currently no patch is available.
Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).
Radio by Sonaar versions up to 4.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).
PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce is affected by missing authorization (CVSS 5.3).
villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer is affected by php remote file inclusion (CVSS 7.5).
The WP-CORS WordPress plugin through version 0.2.2 contains an authorization bypass that allows authenticated users to modify content due to improperly configured access controls. An attacker with valid WordPress credentials could exploit this to make unauthorized changes to website data. No patch is currently available for this vulnerability.
crgeary JAMstack Deployments wp-jamstack-deployments is affected by missing authorization (CVSS 4.3).
Improper access control in WP Job Manager through version 2.4.0 permits unauthenticated attackers to access sensitive information by bypassing authorization checks. The vulnerability affects WordPress sites running the vulnerable plugin and could allow unauthorized disclosure of job-related data. No patch is currently available.
The Update URLs WordPress plugin through version 1.4.0 contains an open redirect vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to arbitrary external sites, enabling phishing attacks. The vulnerability requires user interaction to click a crafted link but has no patch currently available. Affected WordPress sites using this plugin should upgrade or disable it immediately.